Bug 1460675

Summary: Certificate management section needs some rework
Product: Red Hat Enterprise Linux 7 Reporter: Thorsten Scherf <tscherf>
Component: doc-Linux_Domain_Identity_Management_GuideAssignee: Filip Hanzelka <fhanzelk>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: high    
Version: 7.3CC: apetrova, ftweedal, rhel-docs, tscherf, yzimmerm
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-09 13:31:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thorsten Scherf 2017-06-12 11:51:25 UTC 
Description of problem:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certifi
cates.html#certificate-request

The first issue is this:

# certutil -R -d path_to_database -a -g key_size -s "CN=server.example.com,O=EXAMPLE.COM" > certificate_request.csr
# ipa cert-request certificate_request.csr --principal=host/server.example.com

This will create a CSR which does not have a dnsName in the X.509 SAN
extension. All Google Chrome browser >= v58 won't be able to verify
such a certificate. Chances are high that other browsers will deprecate
the subject CN name verification soon as well and also require to have
the dnsName SAN extension in the certificate.

The second issue I see is that we need to explain customers how to
create a CSR for a Kerberos principal alias. This was not working in the
past but has been fixed as part of BZ #1400529. The procedure is
different to the one above, because the way the feature has been
implemented is that you can not list the Kerberos alias with the
cert-request --principal option but either have to list the alias as
dnsName or otherName in the X.509 CSR SAN extension and then request the
cert for the canonical principal name rather than the principal alias
name.

We can discuss for details in an later update. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 16 Aneta Šteflová Petrová 2017-10-09 13:31:46 UTC 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index